Code Injection Vulnerability in Roo Code AI-Coding Assistant
CVE-2025-57771

8.1HIGH

Key Information:

Vendor: Roocodeinc
Status: Roo-code
Vendor: CVE Published:; 22 August 2025

What is CVE-2025-57771?

Roo Code, an AI-powered autonomous coding assistant, has a code injection vulnerability in versions prior to 3.25.5 due to improper handling of process substitution and ampersand characters within its command parsing logic. This issue can allow attackers to execute arbitrary commands when users enable auto-approved command execution. Although this feature is disabled by default, if exploited, it can lead to significant security risks as it permits the execution of unintended commands when the operator's input is manipulated. The vulnerability has been addressed in the latest version, enhancing the security of users' development environments.

Affected Version(s)

Roo-Code < 3.25.5

References

https://github.com/RooCodeInc/Roo-Code/security/advisorie...

x_refsource_CONFIRM

https://github.com/RooCodeInc/Roo-Code/commit/de359a465c6...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 22, 2025
Vulnerability Reserved
Aug 19, 2025

Roocodeinc

What is CVE-2025-57771?

Affected Version(s)

References

CVSS V3.1

Timeline